Sparrowvsrevolution writes: At the Shmoocon hacker conference, security researcher Kristin Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.)

The payment industry often claims that contactless credit cards are more safe than traditional cards, and that any data a hacker could wirelessly read from them can't be used for fraud. But with 100 million of the RFID-enabled credit cards now in circulation, Paget wanted to undisputably show that's not the case. A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses.